Academic Commons Search Resultshttp://academiccommons.columbia.edu/catalog.rss?f%5Bauthor_facet%5D%5B%5D=Cui%2C+Ang&f%5Bauthor_facet%5D%5B%5D=Stolfo%2C+Salvatore&q=&rows=500&sort=record_creation_date+desc
Academic Commons Search Resultsen-usFrom Prey to Hunter: Transforming Legacy Embedded Devices into Exploitation Sensor Gridshttp://academiccommons.columbia.edu/catalog/ac:153316
Cui, Ang; Kataria, Jatin; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14912Fri, 12 Oct 2012 00:00:00 +0000Our global communication infrastructures are powered by large numbers of legacy embedded devices. Recent advances in offensive technologies targeting embedded systems have shown that the stealthy exploitation of high-value embedded devices such as router and firewalls is indeed feasible. However, little to no host-based defensive technology is available to monitor and protect these devices, leaving large numbers of critical devices defenseless against exploitation. We devised a method of augmenting legacy embedded devices, like Cisco routers, with host-based defenses in order to create a stealthy, embedded sensor-grid capable of monitoring and capturing real-world attacks against the devices which constitute the bulk of the Internet substrate. Using a software mechanism which we call the Symbiote, a white-list based code modification detector is automatically injected in situ into Cisco IOS, producing a fully functional router firmware capable of detecting and capturing successful attacks against itself for analysis. Using the Symbiote-protected router as the main component, we designed a sensor system which requires no modification to existing hardware, fully preserves the functionality of the original firmware, and detects unauthorized modification of memory within 450 ms. We believe that it is feasible to use the techniques described in this paper to inject monitoring and defensive capability into existing routers to create an early attack warning system to protect the Internet substrate.Computer scienceac2024, jk3319, sjs11Computer ScienceArticlesConcurrency Attackshttp://academiccommons.columbia.edu/catalog/ac:153247
Yang, Junfeng; Cui, Ang; Stolfo, Salvatore; Sethumadhavan, Lakshminarasimhanhttp://hdl.handle.net/10022/AC:P:14890Thu, 11 Oct 2012 00:00:00 +0000Just as errors in sequential programs can lead to security exploits, errors in concurrent programs can lead to concurrency attacks. Questions such as whether these attacks are real and what characteristics they have remain largely unknown. In this paper, we present a preliminary study of concurrency attacks and the security implications of real concurrency errors. Our study yields several interesting findings. For instance, we observe that the exploitability of a concurrency error depends on the duration of the timing window within which the error may occur. We further observe that attackers can increase this window through carefully crafted inputs. We also find that four out of five commonly used sequential defense mechanisms become unsafe when applied to concurrent programs. Based on our findings, we propose new defense directions and fixes to existing defenses.Computer sciencejy2324, ac2024, sjs11, ss3418Computer ScienceArticlesPrint Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malwarehttp://academiccommons.columbia.edu/catalog/ac:153271
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14897Thu, 11 Oct 2012 00:00:00 +0000Network printers are ubiquitous fixtures within the modern IT infrastructure. Residing within sensitive networks and lacking in security, these devices represent high-value targets that can theoretically be used not only to manipulate and exfiltrate the sensitive information such as network credentials and sensitive documents, but also as fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration.Computer scienceac2024, sjs11Computer SciencePresentationsReflections on the Engineering and Operation of a Large-Scale Embedded Device Vulnerability Scannerhttp://academiccommons.columbia.edu/catalog/ac:153210
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14879Wed, 10 Oct 2012 00:00:00 +0000We present important lessons learned from the engineering and operation of a large-scale embedded device vulnerability scanner infrastructure. Developed and refined over the period of one year, our vulnerability scanner monitored large portions of the Internet and was able to identify over 1.1 million publicly accessible trivially vulnerable embedded devices. The data collected has helped us move beyond vague, anecdotal suspicions of embedded insecurity towards a realistic quantitative understanding of the current threat. In this paper, we describe our experimental methodology and reflect on key technical, organizational and social challenges encountered during our research. We also discuss several key technical design missteps and operational failures and their solutions.Computer science, Web studiesac2024, sjs11Computer ScienceArticlesUsable Secure Private Searchhttp://academiccommons.columbia.edu/catalog/ac:153213
Raykova, Mariana Petrova; Cui, Ang; Vo, Binh D.; Liu, Bin; Malkin, Tal G.; Bellovin, Steven Michael; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:14857Tue, 09 Oct 2012 00:00:00 +0000Real-world applications commonly require untrusting parties to share sensitive information securely. This article describes a secure anonymous database search (SADS) system that provides exact keyword match capability. Using a new reroutable encryption and the ideas of Bloom filters and deterministic encryption, SADS lets multiple parties efficiently execute exact-match queries over distributed encrypted databases in a controlled manner. This article further considers a more general search setting allowing similarity searches, going beyond existing work that considers similarity in terms of error tolerance and Hamming distance. This article presents a general framework, built on the cryptographic and privacy-preserving guarantees of the SADS primitive, for engineering usable private secure search systems.Computer sciencempr2111, ac2024, bdv2112, bl2329, tm2118, smb2132, sjs11Computer ScienceArticlesA Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scanhttp://academiccommons.columbia.edu/catalog/ac:142655
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:12018Fri, 16 Dec 2011 00:00:00 +0000We present a quantitative lower bound on the number of vulnerable embedded device on a global scale. Over the past year, we have systematically scanned large portions of the internet to monitor the presence of trivially vulnerable embedded devices. At the time of writing, we have identified over 540,000 publicly accessible embedded devices configured with factory default root passwords. This constitutes over 13% of all discovered embedded devices. These devices range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment such as network printers and video conferencing units. Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments. Preliminary results from our longitudinal study tracking over 102,000 vulnerable devices revealed that over 96% of such accessible devices remain vulnerable after a 4-month period. We believe the data presented in this paper provides a conservative lower bound on the actual population of vulnerable devices in the wild. By combining the observed vulnerability distributions and its potential root causes, we propose a set of mitigation strategies and hypothesize about its quantitative impact on reducing the global vulnerable embedded device population. Employing our strategy, we have partnered with Team Cymru to engage key organizations capable of significantly reducing the number of trivially vulnerable embedded devices currently on the internet. As an ongoing longitudinal study, we plan to gather data continuously over the next year in order to quantify the effectiveness of community's cumulative effort to mitigate this pervasive threat.Computer scienceac2024, sjs11Computer ScienceArticlesDefending Embedded Systems with Software Symbioteshttp://academiccommons.columbia.edu/catalog/ac:142644
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:12013Fri, 16 Dec 2011 00:00:00 +0000A large number of embedded devices on the internet, such as routers and VOIP phones, are typically ripe for exploitation. Little to no defensive technology, such as AV scanners or IDS's, are available to protect these devices. We propose a host-based defense mechanism, which we call Symbiotic Embedded Machines (SEM), that is specifically designed to inject intrusion detection functionality into the firmware of the device. A SEM or simply the Symbiote, may be injected into deployed legacy embedded systems with no disruption to the operation of the device. A Symbiote is a code structure embedded in situ into the firmware of an embedded system. The Symbiote can tightly co-exist with arbitrary host executables in a mutually defensive arrangement, sharing computational resources with its host while simultaneously protecting the host against exploitation and unauthorized modification. The Symbiote is stealthily embedded in a randomized fashion within an arbitrary body of firmware to protect itself from removal. We demonstrate the operation of a generic whitelist-based rootkit detector Symbiote injected in situ into Cisco IOS with negligible performance penalty and without impacting the routers functionality. We present the performance overhead of a Symbiote on physical Cisco router hardware. A MIPS implementation of the Symbiote was ported to ARM and injected into a Linux 2.4 kernel, allowing the Symbiote to operate within Android and other mobile computing devices. The use of Symbiotes represents a practical and effective protection mechanism for a wide range of devices, especially widely deployed, unprotected, legacy embedded devices.Computer scienceac2024, sjs11Computer ScienceArticlesKilling the Myth of Cisco IOS Diversity: Recent Advances in Reliable Shellcode Designhttp://academiccommons.columbia.edu/catalog/ac:142658
Cui, Ang; Kataria, Jatin; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:12019Fri, 16 Dec 2011 00:00:00 +0000IOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approximately 300,000 unique IOS images in existence, a new class of version-agnostic shellcode is needed in order to make the large-scale exploitation of Cisco IOS possible. We show that such attacks are now feasible by demonstrating two different reliable shellcodes which will operate correctly over many Cisco hardware platforms and all known IOS versions. We propose a novel two-phase attack strategy against Cisco routers and the use of offline analysis of existing IOS images to defeat IOS firmware diversity. Furthermore, we discuss a new IOS rootkit which hijacks all interrupt service routines within the router and its ability to use intercept and modify process-switched packets just before they are scheduled for transmission. This ability allows the attacker to use the payload of innocuous packets, like ICMP, as a covert command and control channel. The same mechanism can be used to stealthily exfiltrate data out of the router, using response packets generated by the router itself as the vehicle. We present the implementation and quantitative reliability measurements by testing both shellcode algorithms against a large collection of IOS images. As our experimental results show, the techniques proposed in this paper can reliably inject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes an important hurdle in the large-scale, reliable rootkit execution within Cisco IOS. Thus, effective host-based defense for such routers is imperative for maintaining the integrity of our global communication infrastructures.Computer scienceac2024, jk3319, sjs11Computer ScienceArticlesA Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scanhttp://academiccommons.columbia.edu/catalog/ac:138106
Cui, Ang; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:11058Thu, 01 Sep 2011 00:00:00 +0000We present a quantitative lower bound on the number of vulnerable embedded device on a global scale. Over the past year, we have systematically scanned large portions of the internet to monitor the presence of trivially vulnerable embedded devices. At the time of writing, we have identified over 540,000 publicly accessible embedded devices configured with factory default root passwords. This constitutes over 13% of all discovered embedded devices. These devices range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment such as network printers and video conferencing units. Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments. Preliminary results from our longitudinal study tracking over 102,000 vulnerable devices revealed that over 96% of such accessible devices remain vulnerable after a 4-month period. We believe the data presented in this paper provides a conservative lower bound on the actual population of vulnerable devices in the wild. By combining the observed vulnerability distributions and its potential root causes, we propose a set of mitigation strategies and hypothesize about its quantitative impact on reducing the global vulnerable embedded device population. Employing our strategy, we have partnered with Team Cymru to engage key organizations capable of significantly reducing the number of trivially vulnerable embedded devices currently on the internet. As an ongoing longitudinal study, we plan to gather data continuously over the next year in order to quantify the effectiveness of community's cumulative effort to mitigate this pervasive threat.Computer scienceac2024, sjs11Computer ScienceArticlesConcurrency Attackshttp://academiccommons.columbia.edu/catalog/ac:135489
Yang, Junfeng; Cui, Ang; Gallagher, John Martin; Stolfo, Salvatore; Sethumadhavan, Lakshminarasimhanhttp://hdl.handle.net/10022/AC:P:10681Mon, 11 Jul 2011 00:00:00 +0000Just as errors in sequential programs can lead to security exploits, errors in concurrent programs can lead to concurrency attacks. In this paper, we present an in-depth study of concurrency attacks and how they may affect existing defenses. Our study yields several interesting findings. For instance, we find that concurrency attacks can corrupt non-pointer data, such as user identifiers, which existing memory-safety defenses cannot handle. Inspired by our findings, we propose new defense directions and fixes to existing defenses.Computer sciencejy2324, ac2024, jmg2016, sjs11, ss3418Computer ScienceTechnical reportsEthics in Security Vulnerability Researchhttp://academiccommons.columbia.edu/catalog/ac:134611
Matwyshyn, Andrea M.; Cui, Ang; Keromytis, Angelos D.; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:10581Thu, 23 Jun 2011 00:00:00 +0000Debate has arisen in the scholarly community, as well as among policymakers and business entities, regarding the role of vulnerability researchers and security practitioners as sentinels of information security adequacy. The exact definition of vulnerability research and who counts as a "vulnerability researcher" is a subject of debate in the academic and business communities. For purposes of this article, we presume that vulnerability researchers are driven by a desire to prevent information security harms and engage in responsible disclosure upon discovery of a security vulnerability. Yet provided that these researchers and practitioners do not themselves engage in conduct that causes harm, their conduct doesn't necessarily run afoul of ethical and legal considerations. We advocate crafting a code of conduct for vulnerability researchers and practitioners, including the implementation of procedural safeguards to ensure minimization of harm.Computer scienceac2024, ak2052, sjs11Computer ScienceArticlesBrave New World: Pervasive Insecurity of Embedded Network Deviceshttp://academiccommons.columbia.edu/catalog/ac:125626
Cui, Ang; Song, Yingbo; Prabhu, Pratap; Stolfo, Salvatorehttp://hdl.handle.net/10022/AC:P:8668Tue, 20 Apr 2010 00:00:00 +0000Embedded network devices have become an ubiquitous fixture in the modern home, office as well as in the global communication infrastructure. Devices like routers, NAS appliances, home entertainment appliances, wifi access points, web cams, VoIP appliances, print servers and video conferencing units reside on the same networks as our personal computers and enterprise servers and together form our world-wide communication infrastructure. Widely deployed and often misconfigured, they constitute highly attractive targets for exploitation. In this study we present the results of a vulnerability assessment of embedded network devices within the worldâ€™s largest ISPs and civilian networks, spanning North America, Europe and Asia. The observed data confirms the intuition that these devices are indeed vulnerable to trivial attacks and that such devices can be found throughout the world in large numbers.Computer scienceac2024, ys2242, pvp2105, sjs11Computer ScienceArticles